Data protection management system (DPMS): your key to GDPR compliance

What is a data protection management system?

A data protection management system (DPMS) is a set of organisational measures that a company implements to ensure personal data is handled in accordance with data protection regulations. Based on the requirements of the GDPR, it is an internal guideline that helps ensure data protection compliance and provides evidence of this if required. This management system is primarily intended to prevent breaches, but can also rectify or refute them retrospectively.

Which companies need a DPMS?

In principle, all companies that process personal data can benefit from a DPMS. However, a DPMS is particularly important for:

• companies that process large volumes of data, e.g. those in the healthcare or financial sectors, or e-commerce platforms;
• companies that regularly process particularly sensitive data;
• companies that operate internationally and have to comply with different data protection laws.

The GDPR does not explicitly require the implementation of a DPMS. However, an obligation follows from Art. 32 GDPR, depending on the risk of processing. Furthermore, all data controllers must demonstrate compliance with data protection regulations and, in certain instances, document this. These are known as documentation and accountability obligations.

In this context, the following points are particularly important for companies:

• The obligation to keep a record of processing activities, Art. 30 GDPR;
• Data processing agreement;
• Technical and organisational measures (TOM), Art. 25 GDPR;
• Data protection impact assessment;
• Notification by the data protection officer;
• Proof of employee training;
• Documentation of a data protection incident, Art. 33, para. 5 GDPR.

What does the structure of an effective DPMS look like?

And what does a DPMS actually entail? To define a meaningful DPMS structure, it is first necessary to obtain an overview of the data protection tasks for companies. Every collection, use, archiving or deletion of personal data constitutes a processing operation for which the GDPR must be observed.

An effective DPMS therefore consists of several central components and processes, including:

Policies and procedures

Companies need clear data protection guidelines and procedures to regulate the processing of personal data. These must be regularly reviewed and updated. This is because, in addition to ensuring compliance with the GDPR, companies must also be able to prove it (see Art. 5, para. 2 of the GDPR.

Data protection officer

In many cases, the appointment of a data protection officer (DPO) is required. The DPO monitors compliance with data protection laws and acts as a point of contact for employees and data subjects. The data protection policy must therefore define the circumstances in which employees must contact and involve the DPO.

Register of processing activities

Another important component of the DPMS is the record of processing activities (VVT). This contains all the documentation required for accountability in accordance with Art. 5, para. 2 of the GDPR. It also serves as the basis for the monitoring processes required under Art. 32 GDPR. The VVT contains information on the erasure concept, service provider management, documentation of technical and/or organisational measures, data security, and the data protection impact assessment (DPIA).

First, the company must determine the circumstances in which personal data is collected and processed. To help with this, it is useful to compile a list of all systems or tools in the company in which personal data is stored.

Technical and organisational measures (TOMs)

These are measures prescribed by the GDPR that are intended to ensure the security of the processing of personal data. These measures include encryption, access control and pseudonymisation, which ensure the integrity and confidentiality of personal data.

Risk management

A risk analysis process helps identify potential data protection risks and take appropriate measures to minimise them.

PDCA-Cycle

To implement this, it is advisable to use a four-phase PDCA (Plan-Do-Check-Act) cycle, which is well suited to a DPMS and can therefore also be found in the standard data protection model. This approach ensures continuous improvement, as each 'review' is followed by an 'action phase', i.e. a response to the outcome of the review. A new planning phase then begins, enabling the cycle to continue moving towards improvement.

1. Plan: Planning, specification, documentation
2. Do: Implementation and logging.
3. Check: Control, testing and assessment.
4. Act: Improvement.

Are there official standards for data protection management systems?

Several standards can serve as guidelines for a DPMS. These include ISO/IEC 27701, which sets out specific requirements for data protection management systems, and ISO/IEC 27001, which contains general requirements for information security management systems.

How can a DPMS be implemented in your company?

The exact implementation depends on the organisation's specific needs. Nevertheless, a rough step-by-step guide might look like this:

• Planning: Determine the data protection requirements and define the objectives.
• Inventory: Carry out a gap analysis or audit to evaluate existing processes.
• Define measures: Develop and document data protection guidelines and procedures.
• Implementation: Implement the measures within the company.
• Monitoring and review: Regularly monitor and improve the DPMS through internal audits and the PDCA cycle.

Who is responsible for the company's data protection management system?

Typically, the data protection officer is responsible for the DPMS. In larger companies, they may be supported by a data protection team. Ultimately, the management team is responsible for the DPMS and should actively support it.

What penalties are there for not having a proper DPMS?

As a DMS is not explicitly required by law, there is no threat of sanctions if one is not in place, provided that the prescribed documentation and accountability obligations are fulfilled. Nevertheless, implementation is highly recommended, as a DMS must at least be considered to minimise fines in accordance with Art. 83, para. 2, d) of the GDPR. Furthermore, an effective system enables the company to respond swiftly in the event of data protection violations.

Is there DPMS software that can be used?

Specialised data protection management software, such as caralegal, supports the implementation of a DPMS and makes it easier to use. DPMS software can centralise and automate the entire data protection process within a company. However, software alone is usually insufficient; expert advice is also required. This is because managing data protection in a company can be very time-consuming and tedious for responsible employees due to the many GDPR requirements.

Various tasks with different deadlines and differently structured, distributed documents are also very error-prone. ISiCO consultancy combines both: expert advice and the option of using caralegal software.

What is the difference between a DPMS and an ISMS?

A DPMS focuses specifically on protecting personal data in accordance with data protection laws. In contrast, an information security management system (ISMS) has a broader focus, protecting all of an organisation's information assets from various threats.

How does implementing or optimising the DPMS with ISiCO work?

Implementing or optimising a DPMS with ISiCO begins with a detailed analysis of the company's existing data protection processes. ISiCO then develops bespoke solutions that consider both legal requirements and the company's specific needs. Support covers everything from planning and implementation to the ongoing monitoring and improvement of the DPMS.